Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 1Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 1.

Published byPhebe Garrison Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 1Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 1."— Presentation transcript:

1

2 Lecture 1Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 1 of M2 (This work is supported in part by NSF)

3 Lecture 1Dr. Verma2 Contents of M2 Cryptographic basics Types of Protocols Security properties Taxonomy of Flaws and Attacks Specification of Protocols Specification of properties Protocol analysis

4 Lecture 1Dr. Verma3 Cryptographic Basics General principles Sender, receiver, plaintext, ciphertext, encryption, decryption, etc. Symmetric key (or secret key) cryptography Public key (or asymmetric) cryptography One-way hash algorithms All of these were covered in module M1 ?

5 Lecture 1Dr. Verma4 Cryptographic Basics (contd.) Sender – one who sends Receiver – one who receives Plaintext – message to be sent, Notation: P or M Ciphertext – encoding of P or M, Notation: C

6 Lecture 1Dr. Verma5 Cryptographic Basics (Contd.) Encryption – the process of disguising a message to hide its contents Notation: E(M) = C Decryption – the process of decoding C to recover M Notation: D(C) = M Basic Identity: D(E(M)) = M

7 Lecture 1Dr. Verma6 Cryptographic Basics (contd.) Cryptography – the art and science of keeping messages secure Cryptographic algorithm – function used for encryption and decryption. Restricted (secret) or Unrestricted (published) our focus Unrestricted – based on a key K. E K and D K. The key for encryption and decryption can be different.

8 Lecture 1Dr. Verma7 Cryptographic Basics (contd.) Symmetric key cryptography – encryption key can be computed from the decryption key or vice versa. Special case: the two keys are the same. Key(s) must be kept secret! Public key cryptography – encryption key is public the decryption key is not. Decryption key should be hard to compute from the encryption key!

9 Lecture 1Dr. Verma8 Cryptographic Basics (contd.)  One-way functions – functions that are easy to compute but hard to invert Computing f(x), given x, is easy Computing x, given f(x), is hard This sounds easy, but we have no proof that such functions exist! We will pretend they do.  Trapdoor one-way functions – one-way functions such that  Computing x, given f(x) and some y, is easy

10 Lecture 1Dr. Verma9 Cryptographic Basics (contd.) Notation: 1-way for one-way 1-way hash functions – A hash function that is also a 1-way function. A good 1-way hash function is also collision-free. Security of a 1-way hash function is its 1-wayness.

11 Lecture 1Dr. Verma10 pro·to·col Pronunc… (…) n. 1. a. The forms of ceremony and etiquette observed by diplomats and heads of state. b. A code of correct conduct: safety protocols; academic protocol. 2. The first copy of a treaty or other such document before its ratification. 3. A preliminary draft or record of a transaction. 4. The plan for a course of medical treatment or for a scientific experiment. 5. Computer Science. A standard procedure for regulating data transmission between computers.

12 Lecture 1Dr. Verma11 Protocols Protocol – a series of steps involving two or more parties to accomplish a task. Must be unambiguous Must be complete in some sense (specified action for lots of possible situations). Each step is either a computation or a message Parties may distrust each other

13 Lecture 1Dr. Verma12 Types of Protocols Our protocols are cryptographic – use cryptography for preventing eavesdropping, cheating, etc. Goal of the protocol is beyond secrecy. Examples: simultaneously sign a contract, convince one another of their identity, etc. Protocols can be classified in many ways According to: parties involved, the purpose, the environment, etc.

14 Lecture 1Dr. Verma13 Classification by Parties Arbitrated protocols Adjudicated protocols Self-enforcing protocols

15 Lecture 1Dr. Verma14 Arbitrated Protocols Arbitrated protocols – have an arbitrator, a disinterested third party trusted to complete a protocol. Easier if parties are face to face. Over computer networks this results in delay and overheads. Arbitrator becomes a bottleneck. Scaling issues. Arbitrator is vulnerable.

16 Lecture 1Dr. Verma15 Adjudicated Protocols Adjudicated protocols – A two stage protocol with: A nonarbitrated subprotocol An arbitrated subprotocol executed only in exceptional circumstances – a dispute. This kind of arbitrator is called adjudicator Adjudicator only called in to judge fair execution of protocol. Detects cheating rather than preventing. Good adjudicated protocol – adjudicator should be able to determine cheater’s identity

17 Lecture 1Dr. Verma16 Self-enforcing Protocols Self-enforcing protocols – protocol itself guarantees fairness. No arbitrator or adjudicator – if one party cheats, the others detect the cheating. Best type of protocol. Do not exist for every situation. Exercise: Find a situation for which there are no self-enforcing protocols.

18 Lecture 1Dr. Verma17 Protocol Classification by Aim Key-exchange protocols Authentication protocols Authentication and Key exchange protocols Electronic Commerce protocols …

19 Lecture 1Dr. Verma18 Key Exchange Protocols Goal is to distribute keys for secure sessions, channels, communication, etc. Classical key exchange protocols TMN Symmetric Needham-Schroeder Denning-Sacco Deployed Protocols Kerberos IV SSL/TLS

20 Lecture 1Dr. Verma19 The TMN Protocol (1990) (Tatebayashi-Matsuzaki-Newman) Suitable for networks, mobile computing. Symmetric. Trusted Server S. Parties don’t have long term keys. Randomly chosen keys K A, K B, etc. Standard encryption function E(.), invertible only by server. Vernam encryption function V(.,.) V(M, V(M, N)) = N

21 Lecture 1Dr. Verma20 The TMN Protocol 1. AS : A, S, B, E(K A ) 2. SB : S, B, A 3. BS : B, S, A, E(K B ) 4. SA : S, A, B, V(K A, K B ) A extracts K B from message 4. Parties should agree on the session key chosen by B.

22 Lecture 1Dr. Verma21 An Implementation of TMN n = p.q, p, q are primes E(x) = x 3 mod n S knows the 2 prime factors of n V(x, y) = x exclusive-or y Protocol looks good, but has big flaws!

23 Lecture 1Dr. Verma22 Authentication Protocols Authentication protocols – for authentication of parties (principals) Authentication – assurance of who you are talking to Examples of specific aims: To make sure that those obtaining a session key are who they say they are Make sure that the principal you think has the key does have it.

24 Lecture 1Dr. Verma23 Authentication Protocols  Passwords or shared keys typically used by system administrators  Authentication can be a byproduct of a key-exchange protocol  Some authentication protocols  Feige-Fiat-Shamir (1987)  Guillou-Quisquater (1988)  Schnorr (1989)

25 Lecture 1Dr. Verma24 Guillou-Quisquater Protocol Smart-cards and other applications Alice wants to prove her identity, bit string J, to Victor Public information: exponent v, and a number n (n = p.q, p and q primes) Private key: B, with JB v = 1 (mod n)

26 Lecture 1Dr. Verma25 Guillou-Quisquater Protocol  AV : J P wants to prove that this J is hers 1.A V: T = r v mod n (1 < r < n - 1, r random) 2.V A: d (0 < d < v – 1, d random) 3.AV: D = rB d mod n 4.V computes T’ = D v J d mod n. If T = T’ (mod n), authentication succeeds.

27 Lecture 1Dr. Verma26 3 Important Concepts Security Privacy Reliability

28 Lecture 1Dr. Verma27 Security Security – the control of information. Ensures that: Authorized parties are properly authenticated Their messages are sent through a network unaltered. In a secure system the origin, content and intended recipients of a message can be ensured. Security is not privacy.

29 Lecture 1Dr. Verma28 Privacy Privacy – the subject of information can control the information. Privacy requires security, but security is not sufficient. Security may preclude privacy! (by assuring that the subjects of information have neither control nor knowledge of the uses of that information)

30 Lecture 1Dr. Verma29 Reliability Reliability – provide certainty in the presence of network failures, memory losses and adversaries. Reliability and security are interdependent. Reliability is not security. Reliable protocols on unsecure servers provide reliable services to attackers as well as authentic users. Reliable electronic commerce requires fail- proof transactions.

31 Lecture 1Dr. Verma30 Security Properties Authentication – receiver of a message should be able to ascertain its origin. An intruder should not be able to masquerade as someone else. Implemented using shared information or ability to prove unique information (PINs and passwords). Secrecy – confidentiality. If a message is confidential it can be read only by intended recipients. Eavesdropping is difficult or useless

32 Lecture 1Dr. Verma31 Security Properties (contd.) Integrity – receiver of a message can verify that it has not been modified in transit. Integrity alone is not security. Availability – a system must be available availability can be compromised by malicious hackers, network failures or commercial espionage. Nonrepudiation – a party cannot reasonably claim not to have taken an action. Example: sender falsely denies sending a message.

33 Lecture 1Dr. Verma32 Reliability Properties Atomicity – indivisibility. An atomic transaction either fails completely or succeeds completely. Consistency – all relevant parties agree on critical facts of the exchange. Isolation – result of a set of overlapping transactions must be serializable Durability – a transaction can recover to its last consistent state.

34 Lecture 1Dr. Verma33 Other Properties Other properties may also be needed. For example, in Electronic Commerce Certified Delivery Goods Atomicity Etc. are also required.

35 Lecture 1Dr. Verma34 Primary References Bruce Schneier, Applied Cryptography Linda Jean Camp, Privacy and Reliability in Electronic Commerce, PhD dissertation, CMU

Download ppt "Lecture 1Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 1."

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.

Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Cryptographic Technologies

Cryptographic Technologies
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Similar presentations

Ads by Google